Rico Luzzi smiled a lot when he spoke to Professional Security, and so would you if you had helped see to the publication of a new international standard, ISO 31030, on travel risk management. We featured Rico in 2015 after he was a finalist in the Association of Security Consultants’ Imbert awards, for best UK university Master’s degree dissertation and sat down with him recently to discuss the new standard.
Inevitably when we met, the first question was about how covid influenced the standard. He highlighted that there was significant pressure from some constituents to focus heavily on Covid in the standard, so it was carefully reviewed with covid in mind. However, the working group decided not to make Covid a stand-out topic of the standard. ‘While the pandemic has been undeniably the biggest event of our time, it’s one of many medical and other types of risks to business travel, very much part of the normal risk assessment process that organisations should be doing. The scale of the covid pandemic however has brought a new focus to the need for a business to have processes in place to address risk, understand and define its risk appetite and criteria, knowing where their people are, what they are doing and how they are going to support them if they fall ill or get stuck’.
The standard, therefore, he feels, has been released at an opportune time. ‘Many organisations especially small and medium sized, are trying to figure out how they can best manage risk, considering the safety and security of their personnel whilst trying to meet strategic objectives’. He adds, ‘a lot of organisations will have a travel manager or department getting people from A to B efficiently and cost effectively, they may also have a security manager or department supporting executive travel and travel to high-risk locations. However not many organisations up until now may have created a dedicated travel risk function, which incorporates all the required internal and external stakeholders needed to address all the types of risk travel exposes an organisation to.’
Now, that is starting to change. He highlights the vacancies, webinars, training, that one can now find on LinkedIn. ‘It’s all starting to relate to travel risk, no longer just travel security or travel safety. I’m so pleased every time I see a vacancy for a travel risk manager, as that’s exactly what we need.’ The standard is also part of the ISO 31000 family so not only can large organisations with mature risk management functions easily integrate the framework into their existing enterprise risk management framework, but small and medium sized organisations can use it to create a standalone travel risk management program which is fit for the size of the business, its industry, profile, risk appetite and exposure.
As in so many other ways, it’s striking from talking to him that while Covid, or a future pandemic, absolutely still matters to travel risk management, so do things already apparent before 2020. Such as the shift in our lifetimes from having only two sorts of travel destination. One, the developed or western world, with clean water and rule of law, and altogether low risk – the likes of Paris, Berlin, Stockholm and so on – and second, what was once called the ‘third world’, prone to poor medical infrastructure, unrest, disorder, and power cuts. Rico acknowledges that and highlights the importance of strategic threat and risk assessment to guide the way in which travel to each country is approached, and then the importance of designing scalable processes to conduct operational risk assessments at the level of the individual traveller and trip. Adding that even in developed countries and cities, one day it may be absolutely fine, the next day in the same place you may see serious unrest, crime, terrorism, or disruption and you need to be prepared to assist and respond.
Those who work according to other ISO or British Standards will be quite at home with this approach; the need first to strategically understand what your organisation does. It reminded Professional Security of the page in the October edition, where Starbuck’s EMEA business continuity manager Helen Lipscombe, speaking to the Business Continuity Institute, stressed the need to ask questions of your organisation, and listen and learn, to best plan. Rico agrees and says understanding your organisation and the travelling population, is one of the most important components of travel risk management. He gives the example of diversity. Many organisations are stressing their commitment to diversity however they may be inadvertently sending personnel to countries where being homosexual or transgender may be illegal and expose the traveller to assault, abuse, or detention. Hence, it’s critical that diversity characteristics are explored long before a traveller is booking their trip as the controls available to treat the risk can sometimes be complex, and in context, fraught with discrimination and privacy considerations.
I asked him about a term that has come to light lately – ‘bleisure’ the mixing of business and leisure. He says organisations are doing everything they can to become employers of choice and so permitting employees to mix work with some leisure is being permitted and, in some cases, even promoted. However, if an organisation fails to adequately define the parameters relating to the mix, it can expose both the organisation and traveller to risk. An organisations travel risk policy should clearly define organisational requirements such as supervision and traveller responsibilities, which may include restrictions, and clarify stipulations around insurance and organisational support. Rico says that even though ‘bleisure’ isn’t defined in the standard, the definitions of what ‘off-duty time’ and ‘personal leave time’ will help guide organisations to carefully consider their stance on the topic, identify and document the criteria to integrate or exclude from travel risk processes.
Rico highlights that setting up a travel risk management programme is not a quick undertaking and could take several years to reach an optimised state, dependent of course on an organisations risk management maturity, size, and the resources available. If that sounds like a long time, consider how long it took to get the standard from proposal to fruition.
Rico went to the British Standards Institute (BSI) in late 2014, after his dissertation identified the immediate market need for standardisation. At a meeting of the BSI Societal Security Management committee at the Guildhall in London, he proposed the development of such, which was approved and developed by a working group of UK experts into a BSI publicly available specification – PAS 3001:2016. Due to the success of the PAS in the market in 2016 a proposal was made to the ISO Technical Committee 262 in 2017 to develop an international standard on the topic.
This was formally approved by ballot in early 2018 and ISO TC262 Working Group 7 commenced development in July 2018. Rico recalls the support from BSI stalwart Dr Russell Price in getting the new work item proposal approved, initiated, and developed, as well as the massive contribution over the years from the UK experts on the BSI Travel Risk Management Committee and its chair Kai Boschmann, the experts of ISO TC262 Working Group 7 and its convenor Kevin Myers. To develop ISO 31030 seven iterations of the standard were produced, four formal global consultations were conducted, and 1100 comments from 24 countries were reviewed.
About Gian-Rico Luzzi:
Senior Manager Physical Security EMEA at VMware. He’s a member of ISO TC262 Working Group 7; the Risk/Travel Risk management committees at the BSI; the Europe Risk Committee at the Global Business Travel Association; the Security Institute; and the Institute of Travel Management.
